Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7069: SAP GUI SSO does not work when time zone redirection GP is enabled

24 June,16 at 04:34 PM

Applies to: 

SAP Netweaver AS Java SSO Module on Windows. 


Problem: 
 

SAP SSO does not work when Microsoft's Time Redirection GP is enabled. (Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Allow Time Redirection):
SNCERR_CONTEXT_EXPIRED
The security context of the current session has expired
However, SSH SSO to the SAP server works as expected. 



Cause: 

Centrify's SAP SSO module relies on Microsoft's SSPI API (Security Support Provider Interface) to perform authentication. SSPI calls are used to confirm the validity of provided Kerberos ticket. The Microsoft library calls LocalFileTimetoFileTime to convert time to UTC and compare that with the time returned by call time. If the time zone difference happens to be more than 10 hours (Kerberos ticket lifetime), the above error is given. 


Resolution: 

Since the problem is caused by API provided by Microsoft, please contact Microsoft and ask if they can provide a hotfix for this issue. Other than disabling this GP, there are no workaround to this problem since SAP SSO module relies on SSPI API to validate ticket time,

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.